Certain cybersecurity incident response and security operation systems, such as the IncMan incident response platform available from DFLabs, incorporate the use of playbooks to assist a user in responding to a cybersecurity incident.
Playbooks are collections of manual and automated actions designed to resolve an incident or complete an investigation. For example, in the IncMan platform, sets of predefined playbooks can be provided based on different industry standards. Each incident is categorized according to one or more type values, and these type values are used to match related playbooks to an incident. Each playbook is described by some properties including type, category and actions that can be grouped in subcategories. Multiple playbooks can be linked to the same incident. Actions to be assigned to users can be defined into a playbook. Additionally, automatic actions for enrichment containment and notification of the incident can be assigned as part of each playbook.
In the IncMan platform, the user can select from a number of pre-constructed playbooks and later customize the playbooks. The playbooks are proposed based only on the type of the incident in a log record (so no other incident fields of the log record are taken into account) and any subsequent user customization (i.e., addition and removal of actions) is not taken into account in the proposing of pre-constructed playbooks.
Previous patent applications by the inventor of the present application pertaining to cybersecurity incident response systems and digital evidence control systems include U.S. patent application Ser. No. 11/784,794, filed Apr. 10, 2007 and published as U.S. Patent Publication 2008/0098219, and U.S. patent application Ser. No. 14/521,328, filed Oct. 22, 2014 and published as U.S. Patent Publication 2016/0044061. The entire disclosure of both of these previous patent applications by the inventor of the present application is hereby incorporated herein by reference. It is contemplated that the system described herein may be used in connection with cybersecurity incident response and security operation systems employing the subject matter described in the above-referenced previous patent applications by the inventor.
In certain platforms, it is known to provide playbooks that, once created, can be improved in a democratic fashion by team members over the course of time.